Hello, thanks Klaus and Victor for details.
With kamailio 1.5 this can be solved in another way, pretty easy -- allow users to call only from registered devices. Check here the example 2: http://openser.blogspot.com/2008/10/registrar-enhancements.html The condition can be extended so that you match the received(source ip)/contact in invite with the contact in location record. So guys, start testing 1.5, it does have lot of cool new features: http://www.kamailio.org/dokuwiki/doku.php/features:new-in-1.5.x Cheers, Daniel On 01/15/2009 12:00 PM, Klaus Darilion wrote: > Hi! > > For those who are interested in this attack - I have attached the > relevant slides from my SIP security lectures. > > regards > Klaus > > PS: an exploit based on sipp scenario files is available too on > request (for educational purposes :-) > > > > Klaus Darilion schrieb: >> IIRC to solve this issue completely the UAC should never send >> credentials to unknown parties - only to its SIP proxy (some clients >> have a "force outbound proxy" feature which does the same). Then the >> SIP proxy can remove credentials before forwarding to other parties. >> >> As soon as a client send messages (with credentials) directly to >> other parties there is nothing you can do on the proxy side. >> >> regards >> klaus >> >> Victor Pascual Ávila schrieb: >>> Hi, >>> excuse me if this message is not directly related to Kamailio. >>> >>> I'm just wondering if folks could share with me if (and how) they have >>> prevented the "SIP Digest Access Authentication RELAY" in their >>> networks (and what worked for them or not). >>> NAT boxes reduce dramatically the scenarios for a successful attack. >>> Otherwise, some might be mitigating the attack by means of forcing UAs >>> to use outbound proxies while others might be reducing the attack >>> incentives by means of message integrity. >>> >>> Any comment would be appreciated, >> >> _______________________________________________ >> Kamailio (OpenSER) - Users mailing list >> Users@lists.kamailio.org >> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users >> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users > ------------------------------------------------------------------------ > > _______________________________________________ > Kamailio (OpenSER) - Users mailing list > Users@lists.kamailio.org > http://lists.kamailio.org/cgi-bin/mailman/listinfo/users > http://lists.openser-project.org/cgi-bin/mailman/listinfo/users -- Daniel-Constantin Mierla http://www.asipto.com _______________________________________________ Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
